I tried your script on a test server and it worked pretty well. Now i'm trying to use it on a production server but I got an error on a invalid character and the script stops.
Opening log i can see that it's the "|" ([char]124) character that causes the problem.
Do you have any idea ?
Have a nice day !
logs :
TerminatingError(): "Cannot convert value "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12800</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2022-11-23T08:18:09.283851900Z'/><EventRecordID>485559769</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='4076'/><Channel>Security</Channel><Computer>[deleted for privacy reason]</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-21-1186133324-2532958014-1589526671-7230</Data><Data Name='SubjectUserName'>[deleted for privacy reason]</Data><Data Name='SubjectDomainName'>[deleted for privacy reason]</Data><Data Name='SubjectLogonId'>0x555522cf</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>[deleted for privacy reason]\xxxxF_Modèle_xxx - Copie\Admin\Pv\Pv_Lancement.docx:|DocumentSummaryInformation</Data><Data Name='HandleId'>0x5878</Data><Data Name='AccessList'>%%4417
</Data><Data Name='AccessMask'>0x2</Data><Data Name='ProcessId'>0x4</Data><Data Name='ProcessName'></Data><Data Name='ResourceAttributes'>S:AI</Data></EventData></Event>" to type "System.Xml.XmlDocument". Error: "'|', hexadecimal value 0x05, is an invalid character. Line 1, position 1013.""
Cannot convert value "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing'
Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12800</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
SystemTime='2022-11-23T08:18:09.283851900Z'/><EventRecordID>485559769</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='4076'/><Channel>Security</Channel><Computer>[deleted for privacy reason]</Computer><Security/></System><EventData><Data
Name='SubjectUserSid'>S-1-5-21-1186133324-2532958014-1589526671-7230</Data><Data Name='SubjectUserName'>[deleted for privacy reason]</Data><Data Name='SubjectDomainName'>[deleted for privacy reason]</Data><Data Name='SubjectLogonId'>0x555522cf</Data><Data Name='ObjectServer'>Security</Data><Data
Name='ObjectType'>File</Data><Data Name='ObjectName'>[deleted for privacy reason]\xxxxF_Modèle_xxx - Copie\Admin\Pv\Pv_Lancement.docx:|DocumentSummaryInformation</Data><Data Name='HandleId'>0x5878</Data><Data
Name='AccessList'>%%4417
</Data><Data Name='AccessMask'>0x2</Data><Data Name='ProcessId'>0x4</Data><Data Name='ProcessName'></Data><Data Name='ResourceAttributes'>S:AI</Data></EventData></Event>" to type "System.Xml.XmlDocument". Error: "'|', hexadecimal value 0x05, is an invalid
character. Line 1, position 1013."
At C:\Audit Report\Get-AuditReport v3.1.ps1:174 char:9
+ $xml = [xml]$evt.ToXML()
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : InvalidCastToXmlDocument
**********************
Windows PowerShell transcript end
End time: 20221123102549
**********************
gocgrup
commented
1 year ago
Hey,
First of all thank for your script.
I tried your script on a test server and it worked pretty well. Now i'm trying to use it on a production server but I got an error on a invalid character and the script stops.
Opening log i can see that it's the "|" ([char]124) character that causes the problem.
Do you have any idea ?
Have a nice day !
logs :